Phishing attack breaches 38,000 patient records at Legacy Health

According to the notice, officials discovered unauthorized access to some employee email accounts on June 21. However, the access began several weeks before in May 2018. The health system hired a third-party forensic firm to help with its investigation.

Officials determined patient data was included in the breached email accounts, including demographic information, dates of birth, health insurance data, billing details, medical data and for some patients, Social Security numbers and driver’s licenses.

Legacy Health is “implementing additional access restrictions.” All impacted patients were given one year of free monitoring. No further details were provided.

The health system is just the latest to be breached by a phishing attack this year. In fact, the most recent Protenus Breach Barometer found phishing attacks were the greatest cyber threat of the second quarter of 2018.

Fending off phishing attacks begin with staff education. Many organizations have found success in phishing simulations that test awareness among employees. Network monitoring is also critical to detect abnormal access or user behavior.